ertainly agree that we have different
concepts/metrics of "hard" or "easy" tasks.
Lennart
--
Lennart Poettering, Berlin
(which I guess I need to
> remind this audience that I am involved in more than Fedora, and every
> distribution I work on does use /boot/efi instead of /efi) is weird
> since it's not just Fedora. It's pretty much everyone.
Yeah, as the NEWS entry says, /boot/efi/ is commonly found. So?
Doesn't change the fact it's a bad idea and from systemd's PoV an
obsolete concept.
Lennart
--
Lennart Poettering, Berlin
k it
really should be time to clean up /boot/efi/, we don't want that
people get bored after the sbin-merge is complete, after all!
Lennart
--
Lennart Poettering, Berlin
t.
I know that Fedora is sadly behind on boot loader topics, but that's
no reason for changing our stance from systemd upstream on these
things.
Lennart
--
Lennart Poettering, Berlin
On Do, 25.04.24 12:49, Andy Pieters (syst...@andypieters.me.uk) wrote:
> On Thu, 25 Apr 2024 at 12:48, Lennart Poettering
> wrote:
>
> > On Mi, 24.04.24 14:48, Etienne Champetier (champetier.etie...@gmail.com)
> > wrote:
> >
> >
> > what is "last X Mo
om a given number of most recent months? if so, just
use:
journalctl --since=-3month
Lennart
--
Lennart Poettering, Berlin
e
way. Derparting from that rule just to be different is just annoying.
This is a warning, to push distros to just stop trying to be different
in this corner case, it's a waste of brain cells having to deal with
pointless differences like this everywhere.
let me turn this around: why do you think it's a great idea for
slackware being its own thing and naming these groups completely
differently for everyone?
Lennart
--
Lennart Poettering, Berlin
On Di, 16.04.24 15:02, Mikko Rapeli (mikko.rap...@linaro.org) wrote:
> Hi,
>
> On Mon, Apr 15, 2024 at 05:41:00PM +0200, Lennart Poettering wrote:
> > Would be good to have that with systemd.log_target=debug, to see if
> > tpm2.target even gets enqueued.
>
> Here is
On Mo, 15.04.24 17:41, Lennart Poettering (lenn...@poettering.net) wrote:
> > or the services needed for systemd-repart config with Encrypt=tpm2
>
> Ah, repart is interesting. We are missing the tpm2.target dependency
> there. That's a bug. Will fix.
→ https://github.com/syste
On Mo, 15.04.24 17:23, Mikko Rapeli (mikko.rap...@linaro.org) wrote:
> Hi,
>
> On Mon, Apr 15, 2024 at 04:02:46PM +0200, Lennart Poettering wrote:
> > On Mo, 15.04.24 10:38, Mikko Rapeli (mikko.rap...@linaro.org) wrote:
> >
> > > Hi,
> > >
> &g
s the
"tpm-ftpm_tee" thing carry no modalias info that autoloads it if some
specific hw is around?
Lennart
--
Lennart Poettering, Berlin
will generally report "ixon" on terminals,
including graphical ones. And C-S/C-Q is generally understood to just
work to suspend terminal output. Hence, turning this off would
probably be quite confusing to most.
Lennart
--
Lennart Poettering, Berlin
temd-udevd
> and systemd-timesyncd, also with status 11/SEGV which is segmentation
> fault, right?
Yes.
> I had this board running with an older version of systemd, but I can
> not remember which was the last good version.
>
> Could anyone give me a hint please how to debug this?
&qu
not be, they are
ordered against remote-fs.target instead, which is *not* ordered
before basic.target (simply because various network management
solutions do not run in early boot)
Lennart
--
Lennart Poettering, Berlin
On Do, 04.04.24 14:34, Agrain Patrick (patrick.agr...@al-enterprise.com) wrote:
> Hello,
>
> Is it possible to insert a custom foo.target between basic.target
> and multi-user.target by just adding some
> After/Before/Wants/Requires in the foo.[target | service] files ?
Yes.
Lenn
plicit Conflicts= dependency on umount.target.
This is briefly documented on the systemd-soft-reboot.service man page btw.
Lennart
--
Lennart Poettering, Berlin
On Do, 07.03.24 17:09, Vru Inbvi (vru.in...@gmail.com) wrote:
> Hi,
>
> I am struggling to install libudev from source (with Ubuntu)
> Can someone please explain what the correct way to do this is, or point me
> to relevant/updated documentation?
https://systemd.io/HACKING
Lenn
they
> > don#t want to patch the support for mode 3 in)
>
> So mode 2 only really makes sense for deployments which are only ever
> accessible from intranets with little junk traffic.
What precisely do you think is missing in systemd that
PollLimitIntervalSec=/PollLimitBurst=, MaxConnectionsPerSource=,
MaxConnections= can't cover?
Lennart
--
Lennart Poettering, Berlin
On Mi, 06.03.24 14:44, Shreenidhi Shedi (shreenidhi.sh...@broadcom.com) wrote:
> > Lennart Poettering, Berlin
>
> Thanks a lot for the responses Andrei, Poettering .
> We took it from blfs in PhotonOS.
> https://www.linuxfromscratch.org/blfs/view/11.3-systemd/introduction/syste
, I am not aware of any big distro shipping such a
unit file.
Lennart
--
Lennart Poettering, Berlin
lias.
But one unit cannot have two distinct [Install] sections, if that's
what you are looking for.
Lennart
--
Lennart Poettering, Berlin
the fact that you want things
dynamic (i.e. responsive to the fact whether your system has a
specific kind of tpm device/secure enclave) that means you have to do
with a generator.
Lennart
--
Lennart Poettering, Berlin
nerate the required deps to pull in
tee-supplicatnt@.service, and add the dev-tpmrm0.device dep just like
systemd-tpm2-generator does.
Lennart
--
Lennart Poettering, Berlin
dule at all? that smells...
Lennart
--
Lennart Poettering, Berlin
case:
https://github.com/systemd/systemd/pull/30194
That should hopefully solve this systematically and generically.
Lennart
--
Lennart Poettering, Berlin
).
Neither Weston nor libseat (whatever that is) are a systemd
thing. Please contact the relevant projects for help?
Lennart
--
Lennart Poettering, Berlin
nd check whether it matches "Particular
> String" or not.
You can use sd-device.h, allocate an sd_device_enumerator_new(), then
apply some filter via sd_device_enumerator_add_match_sysattr() and
then enumerate through it via
sd_device_enumerator_get_device_first()/sd_device_enumerato
s like an error message from some weston thing. Please ask
that community for help.
Lennart
--
Lennart Poettering, Berlin
ut the mixture of sysext and
ConditionNeedsUpdate=. This is unchartered territory. But I think we
can fix this. But please open issues about this.
Lennart
--
Lennart Poettering, Berlin
whatever happens, on boot we initialize it.
Lennart
--
Lennart Poettering, Berlin
igger a `systemctl reboot --force --force`
> command
As mentioned elsewhere in this thread just use RuntimeWatchdogSec= in
systemd-system.conf(5)
Lennart
--
Lennart Poettering, Berlin
On Mo, 05.02.24 13:54, Lennart Poettering (lenn...@poettering.net) wrote:
> you can just use the usual hw watchdog. If pid1 dies it will not ping
> the hw watchdog, and thus a reset is triggered automatically. In fact
> we actually configure the hw watchdog by default these days on hw t
at
has it (which are most PCs).
> 2: How do I get Systemd to freeze to test such program? I mean, if I kill
> Systemd, the kernel would crash so I have to somehow tell Systemd to freeze?
Not really, the kernel blocks SIGSTOP for PID1.
Lennart
--
Lennart Poettering, Berlin
On Mo, 05.02.24 09:24, Dominick Grift (dominick.gr...@defensec.nl) wrote:
Please run "SYSTEMD_LOG_LEVEL=debug systemd-pcrlock make-policy" from
the command line, then file a github issue about this, and pastethe
output there.
Lennart
--
Lennart Poettering, Berlin
... and I do not have a serial console.
>
> I am currently digging into systemd code to find out what is possibly wrong
> .. but if anyone gets a clue, I would appreciate !
Educated guess, you have no cgroupvs2 or so?
Would make sense to provide logs?, use strace to check what precisely
fails?
Ask you distro for help?
Lennart
--
Lennart Poettering, Berlin
ault behaviour. Anything listed in /etc/crypttab is ordered
before cryptsetup.target, which is ordered before sysinit.target,
which is ordered before basic.target, which is ordered before regular services.
Lennart
--
Lennart Poettering, Berlin
kely to be supported.
We should document this however I guess. Hence if you file an issue
that would be more than welcome, so that we can keep trakc of this.
Lennart
--
Lennart Poettering, Berlin
unit being enabled means that one wants to
> use it if possible - and if the libraries are missing that should be
> noticeable to the user instead of a silent fail.
No, the libs are installed, that's what the "systemd-creds has-tpm2"
output shows.
Lennart
--
Lennart Poettering, Berlin
y a TPM 1.2
device? (maybe your bios allows switching between TPM 2.0 and 1.2 modes)
It could be that we simply misdetect the tpm 1.2 case, i admittedly
never tested things on such a system. how old is that PC?
Lennart
--
Lennart Poettering, Berlin
On Do, 18.01.24 22:26, Morten Bo Johansen (morte...@hotmail.com) wrote:
> On 2024-01-18 Lennart Poettering wrote:
>
> > hence, any chance you can provide logs about this? and what kind of
> > system is this? i.e. does it really lack a tpm?
>
> I shall try to accommodate y
ust skips all these so that
everything always works fully automatically and robustly without any
ugly error output.
hence, any chance you can provide logs about this? and what kind of
system is this? i.e. does it really lack a tpm?
Lennart
--
Lennart Poettering, Berlin
n, then intend to give
guarantees that the shut down time is bounded: we first send SIGTERM,
and start a timeout. If by that timeout there are still processes left
we SIGKILL to put an end to things. If we'd somehow distinguish
new/old processes then we couldn't put the boundary on the shutdown
proc
/proc//coredump_filter.
> Am I wrong in understanding that private-anonymous usually maps to ?
> Also, wouldn't 0001 show something like coredump_filter=0x01 or
> CoredumpFilter=shared-anonymous?
I cannot parse this.
Lennart
--
Lennart Poettering, Berlin
is clearly on
automatic partitioning here though, if people want to manually and
precisely set the sizes of each partition in a UI, then repart is not
the tool they should use.
Lennart
--
Lennart Poettering, Berlin
pay
> the enterprise to perform all the management on their behalf.
I think adding some concept for this would be entirely fine, but this
really should be opt-in. Happy to review a patch for this.
I think in the longer run we need to hook this up with remote
attestation though, i.e. instead
epublished name.
My thinking was that clients would look at multiple entries which only
differ by the percentage (i.e. are identical in name and version) and
drop all of them but the one with the highest percentage, and ignore
all others.
Lennart
--
Lennart Poettering, Berlin
n
comparison explicit. This would implement a tiny subset of the
ConditionKernelVersion= logic, and simply default to imply <= if the
comparison is not specified explicitly.
Of course, a similar logic should then be implemented for MinVersion,
i.e. >= and >
> Should we continue this discussion on the mailing list or an issue?
Issue is better.
Lennart
--
Lennart Poettering, Berlin
py to review a patch, merge
something like this (at least file an RFE issue)
Lennart
--
Lennart Poettering, Berlin
machine IDs are no machine IDs at all in
the protocol, if we can get away with it. Hence, my idea of doing the
rollout percentage logic client-side.
Lennart
--
Lennart Poettering, Berlin
to kernel commandline
I don't know what this is, and what that has to do with uefi, sd-boot
or dt?
Anyway, the question is very confusing, I am not surprised noone
answered so far.
Lennart
--
Lennart Poettering, Berlin
On Do, 14.12.23 02:17, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> On Wed, Dec 13, 2023 at 10:03 AM Lennart Poettering
> wrote:
> >
> > On Di, 12.12.23 23:01, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> >
> > > > sysexts are erofs or squashfs fi
nt but isn't an enabled unit or anything, if I
> try to enable or unmask it I'm just told "Unit tmp.mount could not be
> found." or "Unit file tmp.mount does not exist."
/usr/share/systemd/ is not a directory systemd ever looks into for
unit files. If debian packaged something there, this smells like a
bug. Please report to your distro.
Lennart
--
Lennart Poettering, Berlin
o
the other at boot time.
Lennart
--
Lennart Poettering, Berlin
, regardless of whether it was changed by:
Please file this as git issue. It sounds like a bug report, which
should really go to github.
Lennart
--
Lennart Poettering, Berlin
r system.
Please state OS, systemd version and provide relevant logs. Otherwise
this is not actionable.
Lennart
--
Lennart Poettering, Berlin
back.
sysexts are erofs or squashfs file systems with verity backing. Only
the sectors you access are decompressed.
Lennart
--
Lennart Poettering, Berlin
you work for HPE,
so I'd assume your company actually has the funds to payroll this
though, if this matters to you.
Lennart
--
Lennart Poettering, Berlin
rofs/memmap
thing and so on. And make sure the initrd only contains stuff you
always need, so that reading it all into memory is necessary anyway,
and hence any approach that tries to run even the initrd off a disk
image won't be necessary becuase you need to read everything anyway.
Lennart
--
Lennart Poettering, Berlin
image will
> simply fail to mount as its root hash will be wrong.
systemd-sysext already covers this just fine: you can encode in their
"extension-release" file to which base images they match up, and
systemd-syext will then find the right one to apply, and ignore the
others. Thus just make sure you drop in the sysexts fist, and the UKI
last and things should be perfectly robust.
Lennart
--
Lennart Poettering, Berlin
end, systemd-pcrlock and so on. I am sorry, but doing
reasonable disk encryption with TPM involved means you either buy into
the whole systemd offer (i.e. with the service manager) or you have to
rewrite your own systemd.
But maybe I am misunderstanding what you are saying here.
Lennart
--
Lennar
tub also generates initrd cpios on the fly, to pass
credentials and system extension images to the kernel, and you can't
really mix erofs and cpio initrds into one)
Lennart
--
Lennart Poettering, Berlin
he UKI btw, so they end
up being loaded together with the rest of the kernel, and need no
verity becaused signed along with the UKI itself.
Lennart
--
Lennart Poettering, Berlin
decompress and process the whole
> thing and mount it like an erofs alternatively. Does this sound crazy
> or reasonable?
You are re-inventing the traditional "initrd" logic of the kernel
which was a ramdisk (i.e. a block device /dev/ram0), that was filled
with some fs of your choice loaded by the boot loader.
Lennart
--
Lennart Poettering, Berlin
On Mo, 11.12.23 10:57, Lennart Poettering (mzerq...@0pointer.de) wrote:
> Which leaves item 1, which is a bit harder to address. We have been
> discussing this off an on internally too. A generic solution to this
> is hard. My current thinking for this could be something like this,
&
eded disk encryption shall operate and how measurement shall
work. Security must be built into things from the beginning, not be
added as an afterthought.
Lennart
--
Lennart Poettering, Berlin
> later.
Well, that's not supported then. You need XDG_RUNTIME_DIR set up
properly, and that's what the PAM module gives you. If you turn off
the PAM module then you get to keep the pieces, you voided your
warranty.
Lennart
--
Lennart Poettering, Berlin
UID gave me the same result as
> the 503.
It's a bad idea to run user stuff as system user.
Lennart
--
Lennart Poettering, Berlin
r-runtime-dir@.service which
is responsible for creating that dir with right perms.
is 504 a system user? or a regular user?
systemd generally assumes the boundary between system and regular
users is between 999 and 1000.
But user@.service is really just for regular users, not system users,
hence my qu
rd.service - TPM2 PCR
> Barrier (initrd).
> ...
> systemd-pcrphase[130]: Failed to load TPM2 libraries: Operation not
> supported
> ...
It appears you are lacking the tpm2-tss libraries in your initrd image.
Lennart
--
Lennart Poettering, Berlin
/sysext/
There is a video from ASG how this fits together:
https://www.youtube.com/watch?v=XTy3scX6rF4
There's no tutorial how to put this together though. Contributing that
would be very welcome of course!
Lennart
--
Lennart Poettering, Berlin
and document
> it somewhere.
>
> What do you think?
I commented on the github issue. At this time I think more people are
subscribed to that than watch this ML.
Lennart
--
Lennart Poettering, Berlin
d-dispatcher?
I see no reason why we wouldn't add a high-level option for this to
.link files.
We are happy to review/merge a patch. Please submit via GitHub.
Lennart
--
Lennart Poettering, Berlin
On Mo, 04.12.23 13:01, Pintu Agarwal (pintu.p...@gmail.com) wrote:
> Hi,
> Any comments or suggestions on the below ?
I already replied.
https://lists.freedesktop.org/archives/systemd-devel/2023-November/049706.html
Lennart
--
Lennart Poettering, Berlin
e it has an OS tree (/usr/ directory is
missing). Refusing.
And that's your explanation: you need an /usr/ directory.
Lennart
--
Lennart Poettering, Berlin
On Mo, 27.11.23 21:32, Richard Weinberger (richard.weinber...@gmail.com) wrote:
> On Mon, Nov 27, 2023 at 9:29 AM Lennart Poettering
> wrote:
> > If they conceptually should be considered block device equivalents, we
> > might want to extend the udev logic to such UBI dev
that does not involve any broker, and thus always works.
Lennart
--
Lennart Poettering, Berlin
ess("/run/udev/queue", F_OK) < 0 ?
>(errno == ENOENT ? true : -errno) : false;
> }
This doesn't really work. udev might still process the device in the
background.
Lennart
--
Lennart Poettering, Berlin
So it certainly
works, it's how this all works on my local machine since forever.
Maybe ask your distro for help, it's generally an integration issue of
distributions i this doesn't work.
Lennart
--
Lennart Poettering, Berlin
ld be possibly to implement a GMemoryMonitor on top of the
kernel APIs directly, using the information systemd gives you. See the
documentation. It even briefly mentions GMemoryMonitor at the end.
If you have any questions about details, feel free to ask!
Lennart
--
Lennart Poettering, Berlin
On Mo, 30.10.23 10:17, Lennart Poettering (lenn...@poettering.net) wrote:
> On Fr, 27.10.23 20:46, Tony Rodriguez (unixpro1...@gmail.com) wrote:
>
> > Andrea asked for more details so I have provide this verbose output.
> >
> > 1) Lennart's recommendation of removing
; "/var" or "/usr".
If /usr/ is split off it *must* be mounted even earlier than /tmp/: it
must be mounted in the initrd, nothing else is supported, sorry.
If /var/ is split off it must be mounted at the same point as /tmp/,
i.e some time in early boot, not necessarily in the initrd though.
Lennart
--
Lennart Poettering, Berlin
want that /tmp/ is mounted after the network, but
your network is configured really late. But /tmp is necessary during
early boot. BOOM!
Two ways out:
1. Don't make /tmp an iscsi mount. Bad idea anyway. Just use tmpfs for
it, like everyone else.
2. Upgrade to a better network management solution that has no
problems with running in early boot, for example systemd-networkd.
Lennart
--
Lennart Poettering, Berlin
l ro/rw state of the disks, expecting that
/etc/fstab later changes things to the final setting. And if neither
are specified we imply "ro".
Hence, you have two choices: define an /etc/fstab (which of course is
not what you want with gpt-auto) or just add "rw" to the kernel cmdline.
Lennart
--
Lennart Poettering, Berlin
rams, then you can script around this,
with a script like this:
```c
#!/bin/bash
read -r MYCRED < "$CREDENTIALS_DIRECTORY"/mycred
export MYCRED
exec mybinary
```
you get the idea.
Lennart
--
Lennart Poettering, Berlin
"ro" or "rw" on the kernel cmdline?
Lennart
--
Lennart Poettering, Berlin
UKI image in system-boot?
> Or is there any UEFI interface hook to implement such a change in UEFI to
> make a selection of DTB, just like DT_FIXUP ?
There's a PR for this:
https://github.com/systemd/systemd/pull/28959
But it hasn't seen progress in the past 3 weeks.
Lennart
--
Lennart Poettering, Berlin
n
during the initial transaction if avoidable. Better approaches are to
put together generators or so, which can augment the set of units and
their dependencies already when the first transaction is put together.
https://www.freedesktop.org/software/systemd/man/systemd.generator.html
Lennart
--
Lennart Poettering, Berlin
. One possible solution/workaround in systemd would be to
> retry under this condition. Or perhaps this should be considered a bug in
> the container runtimes?
Yes, that's what I think. They should fix that.
Lennart
--
Lennart Poettering, Berlin
Why was the decision taken to put these into /usr/lib/systemd instead of
> /usr/libexec/systemd/?
That's a Fedoraism. Why would one put something there?
/usr/lib/ is where private arch-dependent package stuff goes. What's
the rationale for /usr/libexec/ though?
Lennart
--
Lennart Poettering, Berlin
anks in advance for indicating, if systemd-cryptsetup (the binary) is a
> tool users may rely on.
Yes, absolutely.
The only reason when we might break things for you is when we one day
move it from /usr/lib to /usr/bin, ;-)
Hence: the call interface is certainly stable, the location in that
sense m
Hence, TLDR: don't make the lock file a symlink. (Also, why would you even?)
Lennart
--
Lennart Poettering, Berlin
o rhgb'
>
> Then added a boot entry:
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora
> > UKI"
>
> Unfortunately when trying to boot this I get:
> > Bad kernel image: Load Error
That suggests the kernel you picked does not ca
On Mo, 11.09.23 11:39, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> On Mon, Sep 11, 2023, 10:54 Lennart Poettering
> wrote:
>
> > On So, 10.09.23 00:33, Nils Kattenbeck (nilskem...@gmail.com) wrote:
> >
> > > Hello, I am currently trying to build a
t; to specify it as the root partition and exclude /usr and /var in it?
> Any help would be appreciated.
If you want /etc/ split off, then the discoverable partition spec
won't help you: you have to mount it explicitly from your initrd.
Lennart
--
Lennart Poettering, Berlin
tirely complete yet. Sorry!
It's such a thankless job! But it's definitely on our TODO list.
If you can't guess how things work from the header, let us know, we
can provide you here with the necessary info to get things off the
ground.
Lennart
--
Lennart Poettering, Berlin
ify" that does all of this for you in one
relatively easy step, it's our recommended approach to building UKIs
these days.
Lennart
--
Lennart Poettering, Berlin
tional kernels, instead of sd-boot/sd-stub and UKIs. PCR
measurements are messy there, and the pcr signature stuff as
implemented in systemd-measure doesn't work there.
Lennart
--
Lennart Poettering, Berlin
nization guarantess since journalctl started
that way will just read the data from the journal files unsynchronized
as everyeone else too.
Lennart
--
Lennart Poettering, Berlin
property via some udev rule to
something reasonable, for the devices you add... I have no idea how
that looks like for your specific type of devices.
Lennart
--
Lennart Poettering, Berlin
. Restricting the shared resources available to a
> given seat, allocating them fairly, etc., is a different problem (and
> arguably one that I'd tackle per user and not per seat).
CPU/RAM are by default resource managed, i.e. each user logged in gets
a similar amount under pressure, as controlled via th
1 - 100 of 8632 matches
Mail list logo
